Enabling #DNSSEC is easy as cake with PowerDNS. Just a copy & paste to INWX’s domain management console and that’s it.

Enabling DANE for my e-mail server was easy afterwards as well. There is no reason today not to have it :-)

First time I see #DNSSEC signatures with a validity period of only a few minutes…

https://mastodon.gougere.fr/@bortzmeyer/115995052871350324

And this log can now be queried through #DNS https://mastodon.gougere.fr/@DNSresolver/115995045484678683

(and with #DNSSEC authentication)

Built with the excellent Go DNS library https://github.com/miekg/dns

#FOSDEM

For #DNSSEC, the domain crate can use different crypto backends such as the ring crate or the #OpenSSL bindings. (But there are more.)

There is now a common-line tool to query the DNS, dnsi. And a CLI tool to do misc. manipulations, dnst ("people are using the ldns library example programs in production"). And a key manager, keyset.

#FOSDEM

We start with #Rust: last news of the domain crate.

First big user of this library is #Cascade, the #DNSSEC signer.

#FOSDEM #DNS

@ruawhitepaw #Github is also missing #SSHFP DNS records and #DNSSEC, which would help protect there users accessing it via git over SSH!

Meh. FairEmail weigert sich mal wieder, sich bei erzwungener DANE-Validierung mit meinem Mail-Server zu verbinden.

Die im TLSA-Record hinterlegten Signaturen seien angeblich nicht gültig. Sind sie aber.

#FairEmail #DANE #DNSSEC

@koen @fediversity heel tof! Kunnen jullie ook DNSSEC inschakelen voor pixelfed.com (na FOSDEM 😉). Zie https://internet.nl/site/pixelfed.com/3726854/

@internet_nl #dnssec

#validns v0.9.0 released!
- Support for WALLET and ZoneMD RR types
- Root zone membership check now correctly allows TLDs
- Report when DNSSEC signature algorithms are disabled by policy
- Several segfaults and code analysis issues fixed
and more, see full changelog for details!
#DNS #DNSSEC #Zone #Validation #OpenSource
https://codeberg.org/DNS-OARC/validns/releases/tag/v0.9.0

I wrote up something along these lines a few years ago using terminology from a presentation I had admired. Not specifically bound (pun!) to BIND9.

https://jpmens.net/2022/09/22/dnssec-signing-with-an-offline-ksk/

#dnssec

This article describes how to configure and operate BIND 9 with an offline KSK. Offline KSK was introduced in BIND 9.20.2, with support for KSK rollover in this mode added in 9.20.4

https://kb.isc.org/docs/dnssec-signing-with-an-offline-ksk

#bind9 #dnssec

PowerDNS DNSdist 2.1.0-alpha1 Released

https://blog.powerdns.com/2026/01/29/powerdns-dnsdist-2.1.0-alpha1-released

#dns #dnssec

First beta release of PowerDNS Recursor 5.4.0

https://blog.powerdns.com/2026/01/27/first-beta-release-of-powerdns-recursor-5.4.0 #dns #dnssec

We need to simplify client certificates for IoT and MTLS. One way is to anchor client certs in DNS.
The IETF DANCE working group needs more energy to complete our work. Want to join? Get on the mailing list now and help out!
https://datatracker.ietf.org/group/dance/about/

#PKI #DNSsec #MTLS #IOT

Update 2026.01

https://www.jabjab.de/blog#98

#update #xmpp #dns #server #dnssec #ejabberd

Weekend Reads

* IRR data quality
https://labs.ripe.net/author/tobias-striffler/the-irr-landscape-data-quality-the-good-the-bad-and-the-outdated/
* Roy Arends on DNSSEC
https://circleid.com/posts/the-excruciating-slow-rise-of-dnssec
* IP addresses through 2025
https://www.potaroo.net/ispcol/2026-01/addr2025.html
* Iran Internet shutdowns comparative analysis
https://ioda.inetintel.cc.gatech.edu/reports/a-comparative-look-at-internet-shutdowns-in-iran-2019-2022-2026-and-2026/
* Internet core partial reachability analysis
https://arxiv.org/abs/2601.12196

#IRR #DNSSEC #IP #Iran #BGP

Visited #CSNOG26 conference, it was great event. I had to disable #DNSSEC validation on their wifi network. Asked for a contact to local network admin to ask what is the implementation used. Surprise, they said #bind9. If you operate anything old enough capable of ``dnssec-enabled no;``, please don't use it anyway. Use ``dnssec-validation no;`` only. It will stop servfail caused by validation failures, but won't prevent validation at clients. Fix your forwarders or firewalls if that is not ok

I talked recently about #dnssec with someone about .de and lack of updated algorithms but I can’t find the thread anymore. If that was you please ping me 😀

Are you doing something interesting with #DNS #security, #DNSSEC, routing security, or other forms of #Internet security that you would like to share with the wider (DNS-related) technical community?

If so, consider submitting a proposal for the "DNSSEC and Security Workshop" that will be held at ICANN 85 in Mumbai in March 2026.

Deadline is January 30. Note that you do NOT have to be in Mumbai (I will not be) - you can present remotely.

Details at: https://circleid.com/posts/call-for-participation-icann-dnssec-and-security-workshop-for-the-icann-85-community-forum

#ICANN #ICANN85

Na návštěvě #csnog jsem musel vypnout #dnssec validaci, abych se dostal na WiFi. Trochu zamrzí, že zrovna na setkání síťařů to je potřeba. Chyběl funkční dnssec-trigger. Snad příští rok už to bude umět #dnsconfd automaticky zjistit.